I am trying to add certificate Authority (CA) file name - ca.crt to /etc/ssl/certs, for that I followed this article.
I copied my ca.crt file to /etc/pki/ca-trust/source/anchors/ and run the command below;
update-ca-trust extract
After that I checked /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt file, but I didn't find my CA.
I am not able to figure out what may be the problem.
What am I doing wrong and how can I fix it?
copy your certificates inside
/etc/pki/ca-trust/source/anchors/
then run the following command
update-ca-trust
Find *.pem file and place it to the anchors sub-directory or just simply link the *.pem file to there.
yum install -y ca-certificates
update-ca-trust force-enable
sudo ln -s /etc/ssl/your-cert.pem /etc/pki/ca-trust/source/anchors/your-cert.pem
update-ca-trust
Your CA file must have been in a binary X.509 format instead of Base64 encoding; it needs to be a regular DER or PEM in order for it to be added successfully to the list of trusted CAs on your server.
To proceed, do place your CA file inside your /usr/share/pki/ca-trust-source/anchors/ directory, then run the command line below (you might need sudo privileges based on your settings);
# CentOS 7, Red Hat 7, Oracle Linux 7
update-ca-trust
Please note that all trust settings available in the /usr/share/pki/ca-trust-source/anchors/ directory are interpreted with a lower priority compared to the ones placed under the /etc/pki/ca-trust/source/anchors/ directory which may be in the extended BEGIN TRUSTED file format.
For Ubuntu and Debian systems, /usr/local/share/ca-certificates/ is the preferred directory for that purpose.
As such, you need to place your CA file within the /usr/local/share/ca-certificates/ directory, then update the of trusted CAs by running, with sudo privileges where required, the command line below;
update-ca-certificates
QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
add it as a new file to directory /etc/pki/ca-trust/source/anchors/
run update-ca-trust extract
QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
add it as a new file to directory /etc/pki/ca-trust/source/
run update-ca-trust extract
More detail infomation see man update-ca-trust
Maybe late to the party but in my case it was RHEL 6.8:
Copy certificate.crt issued by hosting to:
/etc/pki/ca-trust/source/anchors/
Then:
update-ca-trust force-enable (ignore not found warnings)
update-ca-trust extract
Hope it helps
Complete instruction is as follow:
Extract Private Key from PFX
openssl pkcs12 -in myfile.pfx -nocerts -out private-key.pem -nodes
Extract Certificate from PFX
openssl pkcs12 -in myfile.pfx -nokeys -out certificate.pem
install certificate
yum install -y ca-certificates,
cp your-cert.pem /etc/pki/ca-trust/source/anchors/your-cert.pem ,
update-ca-trust ,
update-ca-trust force-enable
Hope to be useful
Related
When I try to generate a key from a pfx certificate file, it creates an empty file
openssl pkcs12 -in test.pfx -nocerts -out test.key -nodes
I executed the command on git bash, Windows server 2019. The command seems to run without stoping because I can't type.
Thanks
I'm setting up a Kubernetes cluster and as part of that, I ran the following command (mentioned on official docs: https://kubernetes.io/docs/tasks/tools/install-kubectl/) :
sudo apt-get update && sudo apt-get install -y apt-transport-https
However, it fails with the following error:
Err:3 https://packages.cloud.google.com/apt kubernetes-xenial/main amd64 Packages
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Now, I fetch the certificate with this command :
ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect packages.cloud.google.com:443) -scq > kubecertificate.crt
I get the following response :
verify error:num=20:unable to get local issuer certificate
DONE
But since I see content inside my kubecertificate.crt file , I go ahead and copy the certificate in /usr/local/share/ca-certificates/ directory.
Then I run:
update-ca-certificates
After updating my ca certificates bundle, I re run the first command mentioned.
It again fails with the server certificate verification failed error.
Please help me understand where am I going wrong? Is it because I'm unable to get the local issuer certificate? Please help.
Are you using i386 image or is there some firewall involved? If it is 64bit version of Xenial then it must be some kind of system issue.
Take a look at this case. Especially I would check the current system time date -R and apt-get install NTP as advised by #davidthings as I remember having similar problem. There is also a lot of different solutions which could help, listed in the linked case - check which one is applicable for your and update if you succeeded.
After that you can try with this, to download kubectl, kubelet and kubeadm (or edit it accordingly if you want just one)
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg |
apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
I'am trying to generate certificate from Let's Encrypt It over certbot (package ver. 0.21.1.-1), but i'am getting error. I'am using webroot module.
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ssl/certs/ca-certificates.crt
I don't have there file with this filename. Should i generate it, download?
Maybe /etc/ssl/certs/ca-certificates.crt is not exist.
Try running sudo update-ca-certificates to create it.
I ended up doing cd /etc/ssl/certs followed by cat *.pem >> ca-certificates.crt
Not the most elegant solution and you'll have to delete the file and redo it every time the ca-certificates package (or its dependents) update...
Try running sudo pacman -S ca-certificates to install the core certificates
For me, update-ca-trust did the trick.
It happens because the original ca-certificates.crt file is missing.
In my case, I removed it when adding a new certificate file containing my website.com as a CN (Common Name). Fortunately, I had a backup copy of that file.
If you have that file, just put it again in the directory:
/etc/ssl/certs/ca-certificates.crt
Or try to add a new one with the same name.
I have to install a certificates on my server, but they only gave me a .cer file. I search on some forums, but I don't find anything to install it, just for .crt files...
How could I install it ?
Thanks a lot
You must first convert the cer file into a crt file.
openssl x509 -inform DER -in <fullfilepath>/certificate.cer -out certificate.crt
Then to install do the following:
sudo mkdir /usr/local/share/ca-certificates/my-custom-ca
sudo cp certificate.crt /usr/local/share/ca-certificates/my-custom-ca
sudo update-ca-certificates
You can find the full installation procedure here.
.cer certificate is a Microsoft specific format. You can try to convert from .cer into .crt before installation following such a guide in the answer provided here: convert_cer_to_crt
This question already has answers here:
How to convert SSH keypairs generated using PuTTYgen (Windows) into key-pairs used by ssh-agent and Keychain (Linux)
(10 answers)
Closed 3 years ago.
So there are plenty of tutorials on how to convert a PEM to a PPK using puttyGen. However my issue is that my windows machine had the only PEM copy and I converted it into a PPK and deleted it. Now I need to figure out how to convert a PPK into a PEM so that my mac can ssh into the server. I still have access to the server so I could also just make a new key if I had to, anyone know how to convert PPK to PEM?
Install PuttyTools
apt-get install putty-tools
Generate a pem file form the ppk
puttygen server.ppk -O private-openssh -o server.pem
The file server.pem file will be saved on same location
If you're on a Mac and you've previously installed Homebrew, from Terminal:
$ brew install putty
$ puttygen server.ppk -O private-openssh -o server.pem
The first command was suggested in this comment and the second from Emizen Tech's answer.
Try this to install putty-tools
sudo apt install putty-tools
puttygen key.ppk -O private-openssh -o key.pem
ssh -i ~/key.pem {user}#{ip}
First, install PuTTY for Mac using
brew install putty
Then, use the following command to convert the .ppk format private key to a standard PEM format private key:
puttygen privatekey.ppk -O private-openssh -o privatekey.pem
Make sure permissions on the private key file are set properly. It should only be readable by the user that owns it.
chmod go-rw privatekey.pem
You can now use the key for logins from scripts and command line with:
ssh -i privatekey.pem user#hostname